“Compress the complexity of modern web apps,” promises Ruby on Rails.
“What’s happened over the past let’s say 10 years, in my experience, is that we’ve sort of all turned into pink elephants — pink elephants tied with a tiny rope of learned helplessness, when it comes to deployment,” says Ruby on Rails creator David Heinemeier Hansson. “The entire industry has cultivated a fear of touching a server! A fear of being responsible for a computer!”
Or, as Hansson put it in a Nov. 7 blog post, “Deploying modern web apps — with all the provisions needed to be fast and secure while easily updateable — has become so hard that many developers don’t dare do it without a PaaS.”
“But that’s ridiculous.”
With the latest version of Ruby on Rails, Hansson hopes to eliminate even the need for caching dependencies like nginx and other proxy services, while continuing his anti-PaaS crusade. “Nobody should have to pay orders of magnitude more for basic computing just to make deployment friendly and usable,” Hansson writes. “That’s a job for open source, and Rails 8 is ready to solve it.”
Hansson’s blog post touted all the new features Rails 8 brings to its long-running application framework. There’s a deployment tool with a new feature-loaded proxy, speedy new database-backed adapters for caching and queuing, and a slick new default asset pipeline. Also, there is what Hansson describes as “a complete authentication system generator, which creates an excellent starting point for a session-based, password-resettable, metadata-tracking authentication system.”
But along the way, he’s also trying to remind developers that they really can go it alone, armed only with the power of Rails. And it’s a point he hammered home in a late-September keynote at the Rails World conference in Toronto.
Petrified of the Server?
Hansson started by calling out an almost diabolical plan. “You convinced programmers that computers were so fucking hard that they shouldn’t touch them themselves? Bravo….” And then he drew a laugh — and applause — when he said, “The problem, in part, is…” — and then put up the AWS logo.
Hansson conceded that “AWS is amazing” (in a “we humans are capable of this” way). “We humans are capable of putting an entire army of server monkeys behind an API, and they can run real fast… ” But as he sees it, most companies don’t have the same gargantuan traffic spikes as Amazon does around, say, Black Friday. “Most of us don’t live in that context. Most applications, most of the time, do not have a problem that requires constant racking of server monkeys behind an API. And the price we pay — for the insurance policy in case we did — is exceptionally high. Not just monetarily, but complexity-wise…”
“The entire industry has cultivated a fear of touching a server! A fear of being responsible for a computer!”
In Hansson’s telling AWS is, unfortunately, a business where “The incentive for AWS is for you to stay a pink elephant forever. Forever to be petrified of the server. Forever to be petrified of running your own ship.”
“No,” Hansson says dramatically, putting up a picture of a Batman villain. “We’re not going to let the Joker win…!”
Deploying With Kamal 2
So, how exactly will Rails 8 make deployment easier? Partly by shipping with a preconfigured version of the deployment tool Kamal 2, which Hansson describes as “how you’re going to get your application into the cloud, or into your own hardware, or into any container or into anywhere you want to put it…”
In fact, it’s Kamal that allows companies to actually leave the cloud, Hansson says — and Kamal 2 “levels this up substantially. It does auto-SSL, so you don’t even have to know anything about how to provision an SSL certificate — it does it automatically through Let’s Encrypt. It allows multiple applications to run on a single server, so we scale down as well as scaling up…” Hansson’s blog post explains just how easy it is: Kamal “takes a fresh Linux box and turns it into an application or accessory server with just a single kamal setup command. All it needs is the IP addresses for a set of servers with your SSH key deposited, and you’ll be ready to go into production in under two minutes.”
It’s simple and its quick, Hansson writes, partly because Rails already ships with a Dockerfile “for turning your application into a production-ready container image out of the box. All you need to bring is your own container registry account, like Docker Hub or GitHub, for storing the images.” And in his keynote, Hansson noted even that Dockerfile has been upgraded in Rails 8 with a new HTTP/2 proxy (in front of the Puma web server) called Thruster, offering asset caching and compression, plus X-Sendfile acceleration, “installed by default in our lovely default Docker image…”
This all means that the default Rails 8 container “is ready to accept traffic from the internet immediately,” Hansson’s blog post explains. Kamal 2’s proxy also boasts built-in integration for 1Password, Bitwarden, and LastPass.
And in his keynote, Hansson emphasized it’s all part of the larger mission to eliminate dependencies like nginx and other proxies and “things you have to put in front of your application before it’s ready to face the internet.
“The mission for Rails 8 was, the Rails 8 container image that comes out of the default setup should be directly exposable to the internet. It should be fast, it should be secure, it should be easy to use, and it should require no expertise.”
Authentication
During his keynote, Hansson mocked the argument that a PaaS offers higher security. “‘What about the hacker? He’s going to get me!’ That’s the pink elephant talking,” he quipped.
He put up a slide with the simple instructions for setting up SSH key authentication and a firewall with a nice UI — saying 90% of Linux Box security is essentially just remembering to lock the door.
“We’re not going to let them convince us that servers are so difficult that AWS should have 40% margins.”
Hansson told his audience that the cure for server phobia was Linux. And soon he’d put a slide with the word Authentication, though he cautioned the audience that “Rails 8 is not going to ship with ‘device’. It’s not going to ship with a black box of security.”
Instead, back in last December, Hansson promised “a basic authentication generator that essentially works as a scaffold” to teach Rail developers how to set up security themselves. “It’s going to put you on the path of learning what the fuck is going on…” Hansson told his audience at Rails World. “You actually have to realize that authenticating a user is not worth being a pink elephant for — let alone paying someone else to do it. You should understand the basics of secure passwords. It’s not the difficult.”
Low-Latency Without Redis
Hansson also made a point of saying he’s already proud of how Rails 7 discarded the baggage of the past and simplified the asset pipeline for CSS and JavaScript… But they’ve made it even simpler in Rails 8 with a brand new asset pipeline library called Propshaft. “The database today is so fast that we do not need RAM for most operations. And we should take full advantage of that. And in Rails 8, we have.”
This ultimately means low-latency performance without the need to implement a quick-response database tool like Redis, Hansson says. Instead, Rails 8 ships with its own trio of powerful database-based adapters:
- Solid Cable for websocket communications. It gets within 50% of the performance of Redis’s purely RAM-based operations, Hansson says. “And it’s writing to a freakin’ file. That’s incredible. That’s one of those a-ha moments where like… This would not’ve been possible in 2009.”
- Solid Queue for running jobs. Hansson calls this “the crown jewel of the Solid trifecta” — a fully-featured (and high-performance) active job back-end for all the major databases, “backed in a way where you can actually interrogate if something goes wrong.” (Thanks to “all these dials that you need to expose to tune things in high-velocity environments”.) Hansson compared it to the Linux job-scheduling tool cron, calling it “a better cron that runs fully inside your Rails application, and can start any job.”
- Solid Cache for caching. Hansson jokes that this solves a problem he experienced after building the first prototypes of the HEY email client. His wife asked him if her emails in that beta system could be read by HEY’s employees, and he was forced to answer…. “yes.” HEY’s database is now fully encrypted — and encryption is also supported in Rails 8’s Solid Cache. “It is a big leap forward for privacy, and I’m hoping it’s something more people adopt.”
SQLite for Everything
It’s simpler under the hood, too. As Hansson explained on the Changelog podcast, “Rails 8 uses SQLite for literally everything out of the box. We use SQLite for the jobs, the queuing backend, we use SQLite for caching, we use SQLite for the web sockets coordination… And obviously we use SQLite for the main database that your domain models are being persisted into. That’s all of it, which means that the deployment story gets so much better, gets so much simpler.”
And as the podcast continued, Hansson marveled at how quickly a project can now be “full-on ready to go, ready to serve internet traffic. I have everything exposed here as a real IP to the internet. That path has never been shorter. And not only has it never been shorter, the fact that it no longer leans on some commercial subscription that you need — that just warms my heart…”
On the podcast, Hansson said he wants to create a world where “the bare metal deployment scenario looks virtually identical to the cloud deployment scenario.” And he’s proud of the tools they’ve now created. In his keynote he said Solid Queue is already handling 20 million jobs a day for HEY, and “we have another 80 million jobs to run on Basecamp and some of our other systems. We’re going to bring it all onto Solid Queue to run about 100 million jobs a day. It works. It’s good. It’s easier.
“It does not require seven gems, and you can take Redis out of your stack when you shift.”
Enjoy the entire talk here: